Skip to content

Learn how hackers can rewrite (alter) files on WordPress sites

The increase in hacking damage has become a major issue if the program has been tampered with due to the multifunctionality of the programs.
This time I will explain how hackers are rewriting WordPress files and will consider ways to improve security.

What happens if a file on the server is tampered by a hacker?

Hackers are most often tampering with files on your site to make money. We have put a brief list of what hackers are doing by rewriting your site program files.

  • Redirect users to your site to another site and try to profit from the number of visits
  • Infects the personal computer of the user accessing your site with a virus and steals information like credit card or ftp or password etc.
  • Create a link from your site and let the search engine get top list
  • Hide the identity of hackers by making your site a springboard to other hacking activities
  • Embed fake pages on your site and steal user’s personal information
  • Send advertising emails from your server to multiple users, inducing them to buy goods and software

Activities of hackers who may cause damage to the people who visit the site are very troublesome because there is a risk that you may be a perpetrator but a victim.

How a hacker rewrites a WordPress file 1 – Takes administrative rights

WordPress is the most popular CMS in the world. It is a very flexible system that allows you to post your favorite content from the management screen, and edit the theme and edit plug-ins program files from the management screen.
Because of this flexibility, if a hacker can log in with your site administrator privileges, you can directly embed malicious programs into your site.

The way that hackers stealing administrative rights is a technique called brute force attack. It is a method of mechanically repeating the login and searching for the password by brute force.

We recommend the following measures to prevent the stealing of administrator authority.

1 Change your password to WordPress generated password

In management screen in WordPress Users> All users> Select Administrative User and change the password obtained by the generation of the password at the bottom.

2 Block access from hacker’s computers who are doing bruteforce attack

By using the security plug-in, it is possible to automatically block the access of hacker who are doing bruteforce attack.

Link WordPress: Malware Scan & Security Plugin

Once the plug-in is installed, check “Login Lockdown”, “WPSCAN Prohibition” and “Prohibit access to Brute Force Attack IP to XMLRPC, wp-login” functions.

How hackers rewrite wordpress files 2 exploit vulnerabilities in themes and plug-in programs

Hackers can also use the vulnerability of a program uploaded to the server to falsify files on the server without taking administrative rights.

This method is performed in an advanced way by exploiting program vulnerabilities. WordPress is made up of thousands of programs, but in rare cases, there may be vulnerabilities in WordPress itself, plugins and themes that cause the developer’s unintended behavior.

for example, the following code

<?php eval($_POST['a']); ?>

This single line of code is vulnerable enough that it can write anything on the server, generate pages, send spam emails, modify existing files, and so on.

Vulnerabilities of themes and plugins are disclosed at various sites, so hackers use it to falsify sites.
We will explain how to prevent tampering using such vulnerabilities.

1 Update your WordPress, plugins and themes once a few months

Plugins and themes developers may be fixing vulnerabilities, so updating plugins, themes and WordPress itself is a basic way to prevent hacking via vulnerabilities.

It is possible to do vulnerability check with WordPress Doctor malware scanner plugin.

3 Minimize plugins and themes, and remove unused themes and plugins

Are unused plug-ins and themes left inactive on the server?Just because it’s not activated doesn’t mean it’s safe.
Many vulnerabilities are directly accessed and exploited by hackers, so it may be dangerous just because the file is on the server.

We recommended that plugins and themes that are not used also be updated or just delete from the server if unnecessary.

3 Hide WordPress and Plugin Versions

Hackers know the vulnerable versions of WordPress, themes, and plugins, and checks the plugins and themes installed on your site before hacking.

You can use the WordPress: Malware Scan & Security Plug-in to prevent versioning from appearing on WordPress sites html codes and hide them.

Please enable the “WordPress version leak prevention function” of the plug-in.

4 Prevent hackers from directly accessing the folder and seeing the file contents

If there is no INDEX.HTML in the folder on the server, the server has a function to list the files in that folder when accessing the folder (a function called directory listing) ).

It is dangerous if your site is in this state. That’s because search engines are picking up pages that are listing directory and may appear in search results.

Hackers can easily search Faldas with directory listings for vulnerable plugins.

Please use WordPress: Malware Scan & Security Plugin ‘s “Prohibit Index List Display” feature.

5 Set the file write permission properly

It is possible to prevent hackers from tampering with files by setting the write permissions of the files contained in WordPress.
By using our security plug-in, if there is a problem with file write permission, it will be displayed, so please set the file write permission properly with FTP software.

How a hacker rewrites a WordPress file 3 Rewriting a database

WordPress records theme and plugin settings, text information of posted content, etc. in the database.
Since user information and passwords are also recorded in the database, if hacker can rewrite this, you can obtain administrator privileges.
*This method is called SQL injection

For example, if the program contains the following code, it is possible to rewrite the database.

<?php $wpdb->query("SELECT * from wp_option where id = " .$_POST['a']); ?>

This database rewrite is also performed by exploiting the program vulnerability described in 2. It is possible to suppress it by taking the measures described in 2.

Hackers are always looking for sites that can be easily tampered with, so it’s important that they be sites that hackers can not easily intrude.